Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: VPN Design - is it possible

RE: VPN Design - is it possible

From: Sanford Reed <sanford.reed_at_cox.net>
Date: Thu, 22 Dec 2005 15:17:46 -0500

If you ASSUME:

1. That each 'Site A' PIX has a different out side address
AND
2. They are not configured using the Cisco Fail-over feature

Then there shouldn't be any reason that you couldn't build separate HW-HW
VPN tunnels from each remote site PIX. This would be an Admin nightmare
though as each tunnel will have to be built manually from each box one
end-point pair at a time.

Who 'owns' the IP block at 'Site A'? If it is your home company and not the
ISPs then a simpler and more reliable solution might be (all though more
costly):

1. Install a Router outside of the 'Site A' PIXs. A 2621Xm can be bought for
about $1500.00 and a VWIC-2MFT-T1-D1 (2 - T1 integrated CSUs) for about
$250. This leaves room for and additional VWIC card.
2. Upgrade the 'Site A' PIXs to 515Es with Fail-over. The VPN unrestricted
can be had for about $4K
3. Setup BGP Routing between that Router and both ISPs.

You could than connect the 'Site A' PIXs in- Fail-over mode and enjoy the
same reliability between sites. This Site to Site reliability is real
controlled by the Remote Sites as each only has a single ISP with no backup
or fail-over route. A secondary benefit of this solution is that as you grow
at the Home site you can add Internet T1s into the External Router by simply
adding VWIC cards

-----Original Message-----
From: firewall-wizards-admin_at_honor.icsalabs.com
[mailto:firewall-wizards-admin_at_honor.icsalabs.com] On Behalf Of Julian M D
Sent: Wednesday, December 21, 2005 10:18 AM
To: firewall-wizards_at_honor.icsalabs.com
Subject: [fw-wiz] VPN Design - is it possible

Hi,

I have been given the task to accomplish some kind of failover using
PIX firewall and 2 ISP's connections as follows:

Site A - 2 PIX 506E , 2ISP - 1LAN
Site B, C, D, E, PIX 501 , 1ISP
Site F - PIX 515, 1DMZ, 1ISP

                    ------VPN -------SITE B PIX----------VPN SITE F PIX
SITE A PIX 1 -------VPN--------SITE C PIX----------VPN SITE F PIX
     (ISP1) -------VPN--------SITE D PIX----------VPN SITE F PIX
                   -------VPN--------SITE E PIX----------VPN SITE F PIX

                   ------VPN -------SITE B PIX ----------VPN SITE F PIX
SITE A PIX 2-------VPN--------SITE C PIX----------VPN SITE F PIX
     (ISP2) -------VPN--------SITE D PIX----------VPN SITE F PIX
                   -------VPN--------SITE E PIX----------VPN SITE F PIX

My question is : is it possible to have 2 separate VPN connection to
the same SITE ( looking from B,C,D,E point of view - they would see
the LAN behind SITE A using 2 separate IPSec tunnels)? Has anyone done
or seen anything similar? Do you have a better plan using the given,
options??

Best regards to all, and Happy "Secure" Holidays Everyone!

Julian
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Dec 28 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos